If you have ever sailed with Carnival, Princess, Holland America, or one of their sister cruise lines, your personal information may now be in the hands of criminals. Carnival Corporation has confirmed a data breach that affects nearly 6 million people, and Texas is one of the hardest-hit states. The Texas Attorney General’s office puts the number of affected Texans at more than 800,000.
The data that was taken is the kind that does real damage. Names, home addresses, dates of birth, and in many cases driver’s license and passport numbers. Here is what happened, how to find out if you were caught up in it, and the steps you can take right now to protect yourself.
What happened in the Carnival data breach
Carnival’s IT security team spotted unauthorized activity on an employee’s account on April 14, 2026. The intrusion itself traces back a few days earlier, to around April 10. By April 22, the company had determined that an attacker copied personal information out of its systems.
The break-in did not start with a clever piece of malware. It started with a person. The attacker used social engineering, posing as someone the employee would trust, and talked their way into access. From there they reached a portion of Carnival’s network and pulled out files containing customer and employee data.
A filing with the Maine Attorney General’s office lists 5,995,277 people affected, which is where the “nearly 6 million” figure comes from. The ShinyHunters extortion group has claimed responsibility and says it took even more than that.
Why Texas is one of the hardest-hit states
Galveston is one of the busiest cruise ports in the country, and a lot of Texans book Carnival sailings out of it. That is reflected in the numbers. According to the Texas Attorney General’s office, more than 800,000 Texans may have had their information exposed in this single breach.
What makes this one worse than a typical email-and-password leak is the type of data involved. The compromised records may include names, addresses, email addresses, phone numbers, dates of birth, and government-issued ID numbers like driver’s license and passport numbers. You can change a password in two minutes. You cannot change your date of birth, and replacing a passport is a slow and expensive process.
How to check if you were affected
Carnival started sending notifications to affected individuals by letter and email on May 27, 2026. Here is how to find out where you stand.
Check your email, including your spam and junk folders, for a message from Carnival Corporation about the incident. Notification letters are also going out by mail to the addresses Carnival has on file. If your contact details have changed since you last sailed, you may not get a direct notice, so do not assume you are in the clear just because nothing has landed in your inbox.
You can also call Carnival’s dedicated breach call center at 1-844-593-8310, open Monday through Friday from 7 a.m. to 7 p.m. Central Time. The staff there can help confirm whether your information was involved and walk you through enrolling in the credit monitoring Carnival is offering.
Affected U.S. customers are being offered two years of free credit monitoring through TransUnion. If you receive a notice, enroll. It costs you nothing and it adds a layer of watching over your credit file that you would otherwise have to set up yourself.
What to do to protect yourself right now
Whether or not you have received a notice yet, the steps below are worth taking. If passport or driver’s license numbers were part of your record, treat this as urgent. That is enough information for someone to open accounts in your name.
Freeze your credit or set a fraud alert
A credit freeze blocks new lenders from pulling your credit report, which stops most attempts to open accounts under your name. It is free, and you can lift it temporarily when you need to apply for credit yourself. A fraud alert is a lighter-touch option that tells lenders to take extra steps to verify your identity. You set up either one directly with the three major credit bureaus:
- Experian
- Equifax
- TransUnion
You only need to contact one bureau to place a fraud alert, since it is required to notify the other two. For a freeze, set it up with all three.
Turn on multi-factor authentication
Multi-factor authentication, or MFA, asks for a second proof of identity beyond your password, usually a code from an app or a text. Turn it on everywhere you can, and prioritize anything tied to your money: banking, credit card, and email accounts. Even if a criminal has your password, MFA gives them a wall to climb that most will not bother with.
Stop reusing passwords
If you use the same password across multiple sites, one leak puts all of those accounts at risk. Use a unique password for every account and store them in a password manager so you do not have to remember each one. This is one of the single most effective habits for limiting the damage of any breach.
Be skeptical of unexpected calls, texts, and emails
Criminals use stolen details to make their scams more convincing. A caller who already knows your name, your address, and that you sailed with Carnival sounds a lot more legitimate than a random cold call. Be wary of anyone who contacts you out of the blue claiming there is an urgent problem and asking for money or sensitive information. If you did not start the conversation, do not trust it. Hang up and contact the company yourself using a number you look up independently.
Watch your statements and credit reports
Review your bank and credit card statements regularly for charges you do not recognize, and check your credit reports for new accounts you did not open. You are entitled to free credit reports from each of the three bureaus. Catching fraud early is far easier than unwinding it after months have passed.
The bigger lesson behind this breach
The Carnival breach is a reminder that the weakest point in most security setups is not the technology. It is a person being tricked. Social engineering attacks work because they target trust, not firewalls, and the rise of AI tools that can fake voices, write flawless emails, and impersonate real people is making these schemes easier to pull off and harder to spot.
That is true for a cruise line with millions of customers, and it is just as true for a small business in Central Texas. The same tactic that fooled a Carnival employee can be aimed at your front desk, your bookkeeper, or you. Strong passwords, multi-factor authentication, and a healthy dose of skepticism toward unexpected requests are the habits that hold the line.
